One of the larger questions facing the software industry is how can users trust code that is published on the Internet. Packaged software uses branding and trusted sales outlets to assure users of its integrity, but these are not available when code is transmitted on the Internet. Additionally, there is no guarantee that the code has not been altered while being downloaded. While browsers typically exhibit a warning message explaining the possible dangers of downloading data, they do nothing to actually see whether the code is what it claims to be. A more active approach must be taken to make the Internet a reliable medium for distributing software.
One way to verify the authenticity of software is through the use of digital signatures. However, smaller developers find that digitally signing software is difficult because of the necessity to manage the private keys used to sign the code. This is because each developer needs access to the private key to run and debug applications. Further, if a key is compromised, other applications can use the private key to spoof the identity of the original application and thereby obtain unauthorized access to resources and privileges that had been granted to that application.
Thus, there is a need for a system of signing software applications that provides a globally unique, verifiable identity for a given application. There is also a need for a system for using private keys in software development that minimizes the risks of the private key being lost or stolen. There is a need for a simple, cost effective system that allows developers within a small team to safely share a private key while minimizing the risks of it being lost or stolen. The present invention provides such a solution.